Summary

Implement the three Deterministic Random Bit Generator (DRBG) mechanisms
described in NIST 800-90Ar1.

Non-Goals

Provide API for Source of Entropy Input (SEI), or implement approved SEI on all platforms, where "approved" means approved
by NIST or FIPS.

Motivation

The JDK has two kinds of SecureRandom implementations. One is
platform-dependent and based on native calls or OS devices such as
reading /dev/{u}random on Unix, using the CryptoAPI on Windows, and
using various preconfigured PKCS11 libraries. The latest releases of
Solaris, Linux and Windows
already support DRBG, but older releases and embedded systems might
not. The other kind is a pure Java implementation that uses
an older SHA1-based RNG implementation, which is not as strong as the
algorithms used by approved DRBG mechanisms.

The DRBG mechanisms developed and approved by NIST (as in SP 800-90Ar1)
use modern algorithms as strong as SHA-512 and AES-256. Each of these
mechanisms can be configured with different security strengths and
features to match user requirements. Support for these mechanisms is
becoming very important in some environments, especially for the
U.S. Government.

Description

According to NIST SP 800-90, a random bit generator (RBG, 800-90C) is
constructed with a source of entropy input (800-90B and 800-90C) and a
DRBG mechanism (800-90Ar1). The source of entropy input provides fresh
randomness (entropy) as a seed to the DRBG mechanism, which is then able
to continuously generate "random" bit sequences.

APIs

New methods for SecureRandom matching 800-90C, which allows
configuration of a SecureRandom object and specifying
additional input in the course of seeding, reseeding,
and random-bit generation.

New methods in SecureRandomSpi, to implement the new methods above.

A new SecureRandomParameters interface so that additional input can be provided to the new SecureRandom methods.

These new APIs should be generalized enough for any SecureRandom flavors
(not just DRBG) and can be added to SecureRandom and SecureRandomSpi.

A new DrbgParameters class (and its inner classes) implementing SecureRandomParameters to be used by DRBG.

Implementation

Implement the three DRBG mechanisms (Hash_DRBG, HMAC_DRBG, CTR_DRBG)
in 800-90Ar1 (on all platforms).

By-products

SHA-512/224 and SHA-512/256 secure hash algorithms as described in
FIPS 180-4.